The underlying problem seems to be that companies confuse identification with authentication.<p>A drivers license number is a unique ID. The physical card with security features and a photo is the authentication that it belongs to me, holding it.<p>Same thing with social security numbers. That can be treated as an identifier, so the bank can talk about an individual. But not as authentication and authorization to open new accounts.<p>Data breaches would be so much less scary if banks and similar didn't keep screwing this up.
Some states driver's license numbers are deterministically computed with your name, date of birth and gender.<p>If you live in one of those states and your data is already out there (through a previous breach) then your driver's license number is already public knowledge to hackers.<p>According to an online calculator this applies to these states:<p>Florida<p>Illinois<p>Maryland<p>Michigan<p>Minnesota (Prior to December 13, 2004 only)<p>Nevada (Prior to January 1998 only)<p>New Hampshire<p>New Jersey<p>New York (Prior to September 1992 only)<p>Washington<p>Wisconsin<p><a href="http://www.highprogrammer.com/alan/numbers/dl_us_shared.html" rel="nofollow">http://www.highprogrammer.com/alan/numbers/dl_us_shared.html</a>
Note that these days if you go into one of many bars, pick up certain prescriptions, or buy alcohol at a supermarket, your DL is electronically scanned and all the info is read from the mag stripe or optical code from the back. The justification is that this prevents the checker (check out person, bouncer etc) from violating the law, protecting the business and the employee.<p>The companies that sell sell the "age verifier" scanners collect all the scanned info, rather than merely verifying age. The big pharmacies and big supermarkets collect it all for marketing (in the pharmacy case it's also used for government pharmaceutical surveillance, in particular for the DEA).<p>I've long been appalled that DLs contain anything more than required to drive (a field biometric like a photo, expiry date, class of service, and a confidential identifier so it can be checked by a cop for revocation). But that cat would be impossible to stuff back into the bag.
> We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver’s license number through the online sales system on our website.<p>I wish there was some additional clarification around what "online sales system” is?<p>Is that the system I use to buy insurance?<p>Or is that the system Geico uses to sell my information (which, aside from breaches, might be the other way 3rd party access is gained to my personal information)?
Hah Geico's internal claim system is a giant (internal) FTP dump of scans connected to a web front end. The FTP has endless scanns of claims checks, etc, including DL numbers.<p>Maybe they should change their dev environment SQL passwords from SA.
<i>In a data breach notification to impacted individuals, the company reveals that, between January 21 and March 1, 2021, using customer information acquired elsewhere, fraudsters managed to gain unauthorized access to driver’s license numbers by abusing the online sales system on Geico’s website.</i> [0]<p>0. <a href="https://www.securityweek.com/car-insurance-company-geico-discloses-data-breach" rel="nofollow">https://www.securityweek.com/car-insurance-company-geico-dis...</a><p>It took them 6 weeks to report to CA AG:<p>Organization Name Date(s) of Breach Reported Date
Government Employees Insurance Company 01/21/2021, 03/01/2021 04/15/2021<p><a href="https://oag.ca.gov/privacy/databreach/list?field_sb24_org_name_value=Government+Employees+Insurance+Company&field_sb24_breach_date_value%5Bmin%5D%5Bdate%5D=&field_sb24_breach_date_value%5Bmax%5D%5Bdate%5D=" rel="nofollow">https://oag.ca.gov/privacy/databreach/list?field_sb24_org_na...</a>